Microsoft Overloads the Patch Process

WEBINAR:On-Demand

Opinion: It's going to take you a long time to deal with everything that happened today. Perhaps it would have been better for Microsoft to have two patch days this month.

I'm done patching my own systems.

I threw caution somewhat to the winds this time. I did do some testing; I have a test desktop and a test server I install these things on and run a few tests involving common tasks of mine, but this time was different from most others.

This time Microsoft had put out so much information and so many patches that I really didn't have time to understand it all before I applied them.

That's one way to do things; I don't have so many computers or critical applications here that I can't recover from anything going wrong.

If I were administering a large enterprise things would be different. The flood of security bulletins and patches released today by Microsoft was so large and complicated that administrators have no choice but to prioritize.

The problem of overload is even worse than the 12 security bulletins would indicate. Microsoft also chose today to release at least one Office patch unrelated to the vulnerabilities disclosed in the bulletins. There may be more, it's still too hard to tell given the sheer volume of information. Microsoft also chose today to release an update for Exchange Server 2000 related to a bulletin from last year.

But wait, there's more. Perhaps hoping to slip in under the radar, other vendors reported problems today. For instance, Symantec revealed a bug in the UPX (Ultimate Packer for eXecutables) engine in a large number of their products that could allow an attacker to inject code and take control from the engine. I'll have more on this later.

Earlier I toyed with the idea of seeing if today's flood of patches cleaned the slate of unpatched vulnerabilities on Windows, but it appears this isn't the case, at least depending on who you talk to.

Last fall Finjan announced that they had found 10 new vulnerabilities in Windows XP SP2. Microsoft still disputes the severity of the problems, and in any event confirmed today that "none of the bulletins released today addressed any of the alleged vulnerabilities on Finjan's list..." So fear not, there are more bulletins to come.

The point of having a regularly-scheduled patch day, and later on of giving limited advance information, was to help administrators plan for updates and to schedule time in which to test and apply them. There's no way that anyone's regularly-scheduled interval will be adequate to handle everything that happened today.

It might actually have been better for Microsoft to have announcd last Thursdayinstead of saying that there would be 13 advisories (in the end there were only 12, as Microsoft held one back for further testing)that the advisories would come in two phases.

They could declare a special off-schedule patch day next Tuesday or whatever an appropriate period would be. They could divide the two days based on priority or on products.

Since Microsoft didn't split up the problems for us, we'll have to prioritize on our own. But we'll have to do it with the issues and the patches in public, which means that the exploits will be coming out quicker than they would otherwise. We can only hope that overload days like this are rare, but maybe Microsoft will even the workflow out when they happen in the future.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since,much to his own amazement,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

By submitting your information, you agree that channelinsider.com may send you channelinsider offers via email, phone and text message, as well as email offers about other products and services that channelinsider believes may be of interest to you. channelinsider will process your information in accordance with the Quinstreet Privacy Policy.

By submitting your information, you agree that channelinsider.com may send you channelinsider offers via email, phone and text message, as well as email offers about other products and services that channelinsider believes may be of interest to you. channelinsider will process your information in accordance with the Quinstreet Privacy Policy.